A blog about Cyber Security & Compliance

Month

July 2011

Tufin, a “Security LifeCycle Management solutions company” claim that with effective Firewall change management a business could reduce the cost of its Firewall management by 50%.

Tufin use research from Frost and Sullivan to support their claim.

Frost & Sullivan reports that “The process of implementing a change request to a firewall is a combination of many tasks that are in most cases manual, unclear and time-consuming. [Tufin] SecureChange TM Workflow automates the request process, substantially reducing the overall IT costs associated with change requests by half annually.”

What is undeniable is the need for effective change management processes and controls for Firewalls if a Firewall, or any other security solution, is to remain efficient and secure.

Firewall change management is a mandated requirement in several legislative and compliance standards, for example the Payment Card Industry Data Security Standard (PCIDSS) has a list of specific controls that should be in place and should be provable, a sample list from the standard is below:

1.1 Obtain and inspect the firewall and router configuration standards and other documentation specified below to verify that standards are complete. Complete the following:

1.1.1 Verify that there is a formal process for testing and approval of all network connections and changes to firewall and router configurations.

1.1.2.a Verify that a current network diagram (for example, one that shows cardholder data flows over the network) exists and that it documents all connections to cardholder data, including any wireless networks.

1.1.2.b Verify that the diagram is kept current.

1.1.3.a Verify that firewall configuration standards include requirements for a firewall at each Internet connection and between any DMZ and the internal network zone.

1.1.3.b Verify that the current network diagram is consistent with the firewall configuration standards

1.1.4 Verify that firewall and router configuration standards include a description of groups, roles, and responsibilities for logical management of network components.

1.1.5.b Identify insecure services, protocols, and ports allowed; and verify they are necessary and that security features are documented and implemented by examining firewall and router configuration standards and settings for each service.

1.1.6.a Verify that firewall and router configuration standards require review of firewall and router rule sets at least every six months.

1.1.6.b Obtain and examine documentation to verify that the rule sets are reviewed at least every six months.

1.2 Examine firewall and router configurations to verify that connections are restricted between untrusted networks and system components in the cardholder data environment, as follows:

1.2.1.a Verify that inbound and outbound traffic is limited to that which is necessary for the cardholder data environment, and that the restrictions are documented.

1.2.1.b Verify that all other inbound and outbound traffic is specifically denied, for example by using an explicit “deny all” or an implicit deny after allow statement.

1.2.3 Verify that there are perimeter firewalls installed between any wireless networks and systems that store cardholder data, and that these firewalls deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.

1.3 Examine firewall and router configurations—including but not limited to the choke router at the Internet, the DMZ router and firewall, the DMZ cardholder segment, the perimeter router, and the internal cardholder network segment—to determine that there is no direct access between the Internet and system components in the internal cardholder network segment

1.3.6 Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.)

1.4.a Verify that mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), and which are used to access the organization’s network, have personal firewall software installed and active.

1.4.b Verify that the personal firewall software is configured by the organization to specific standards and is not alterable by users of mobile and/or employee-owned computers.

6.6 For public-facing web applications, ensure that either one of the following methods are in place as follows:

Verify that public-facing web applications are reviewed (using either manual or automated vulnerability security assessment tools or methods), as follows:

Verify that a web-application firewall is in place in front of public-facing web applications to detect and prevent web-based attacks.

The day to day operation of a business can mean “quick changes” are made to firewalls and other security solutions and are not be recorded but could significantly impact on the businesses security level and the organisation’s ability to maintain compliance.

A spreadsheet could be an answer but configuration changes often involve several tasks, for example testing the change prior to going live. Changes across multiple devices may involve several people as security devices need highly skilled security professionals to manage them. Without an effective process or solution an organisation could be wasting the time of expensive resources and may incur unexpected and costly downtime.

To meet these challenges in a cost-effective manner, Tufin recommends that organizations need to extend IT automation into the domain of network security configuration. Automating the security change lifecycle can help companies to:

Improve network security and uptime

Enforce corporate governance

Manage risk effectively and proactively

Increase operational efficiency

Comply with industry and regulatory standards

Audit security infrastructure quickly and accurately

Improve service levels

Tufin believe the key to effective security change automation solution is a combination of both workflow and security technologies. Generic ticketing and helpdesk systems can route requests to security administrators, but since they have a limited understanding of security processes and compliance policies, they cannot automate and enhance each of the stages in a configuration change, from request and design, through implementation and auditing. A comprehensive security change automation solution will work either alone, or in concert with a standard ticketing system, to provide:

Like this:

RSA recently analyzed one local pharmingTrojan which they found to be a highly sophisticated piece of malware that goes as far as installing a driver to achieve its intended goal of stealing information. This is the first local pharming Trojan observed by RSA to even have a driver.

In fact, the Trojan has been widely reported to be the first rootkit ever designed to specifically infect 64-bit operating systems. However, the Trojan does not in fact install a rootkit; rather it installs a plainly visible malicious driver. Since rootkits by definition hide their very existence from the user, this driver cannot be classified as such. Any victim infected with this Trojan, dubbed Rootkit.Win32.Banker.dy (on 32-bit systems) or Rootkit. Win64.Banker.a (on 64-bit systems) will be able to see it in plain view on the currently-loaded driver list.

This particular Trojan was targeted at online banking consumers in Brazilas it changes the hosts file settings for a handful of Brazilian Banks.

May 2011 marked a surprising 33 percent increase in the number of global phishing attacks identified by RSA – and a record for the most unique attacks identified in a single month. About four out of five phishing attacks in May were launched using hijacked websites.

Number of Brands Attacked

The increase in phishing attacks numbers was not the only substantial change observed in May. RSA witnessed a 25 percent increase in the number of attacked brands suggesting criminals went after a wider variety of brands rather than consistently attacking the same brands. When compared year-over-year (May 2010), there was a 69 percent increase in the number of attacked brands.

Segmentation of Financial Institutions Attacked Within the U.S.

Nationwide banks in theU.S.accountedfor 3 out of 4 phishing attacks in May. The portion of phishing attacks targeting U.S. credit unions dropped three percent as did the portion of attacks against regional U.S. banks, decreasing from 22 percent in April to just 12 percent in May.

Top Ten Hosting Countries

Since January 2010, theU.S.has been the top hosting country for phishing attacks, hosting 66 percent of all phishing attacks in May. In the last year, the countries that have consistently hosted the highest portion of phishing attacks have beentheU.S.,UK,Canada,Germany,France,Russia, and South Korea.

Top Ten Countries by Attack Volume

The US,UK,South Africa and India remained the top four countries targeted with the most volume of phishing attacks in May.Malaysia, which appeared on the chart in April, was replaced by Colombiain May. In the last year, theU.S.,UK,South Africa,Canada, the Netherlands, and Italy are the top countries that have consistently endured the highest volume of Phishing attacks.

Top Ten Countries by Attacked Brands

The main change in May was Ireland being replaced by Brazilin terms of the Top Ten countries whose brands were most targeted by phishing. Brands in theU.S.,UK,India,and Australia continue to endure the majority of targeted phishing attacks.

Like this:

StillSecure have produced the “StillSecure PCI Calculator”, a free online tool designed to help Level 1 though 4 retailers examine, and potentially significantly reduce, the costs and complexities associated with PCI compliance. It is a very interesting approach to calculating the cost of compliance.

From the StillSecure press release:

Gartner issued its Retail Security & Compliance survey 2011, which examined security processes used by organizations subject to PCI, including current level of PCI compliance, spending on PCI compliance, and security threats. Among the key findings, the survey revealed that the costs associated with PCI security and compliance for merchants — excluding the cost of assessors — is an average of $1.7 million over 2.35 years. Over the same time period, Level 1 retailers spent an average of $2.1 million on PCI compliance, with Level 2-4 retailers spending an average of $1.1 million.

Based on the Gartner research StillSecure claim that by using their PCI Complete security solution, Level 1 merchants would save approximately $750,000 by utilizing StillSecure’s solution, and Levels 2-4 would save over $400,000 over the same period.

“Gartner’s Retail Security & Compliance Survey 2011 data clearly shows that organizations are spending significant amounts to become PCI compliant,” said Avivah Litan, VP Distinguished Analyst, Gartner, Inc. “The data further shows that it’s not easy to become compliant and many retailers may be overwhelmed with the complex and numerous steps involved in the process. In fact, security breaches are common. Our assessment underscores the importance of exploring all available options for compliance and security.”

The Gartner report also tracked overall PCI compliance investments and PCI-related security risks. While 28 percent of respondents believed that their organization had to spend too much money to comply with PCI standards, 43 percent of respondents had experienced at least one type of security incident.

“StillSecure has been intensely focused on helping organizations achieve PCI compliance through our fully managed, independently approved solution, PCI Complete,” said Rajat Bhargava, CEO of StillSecure. “These solutions are certified by one of the world’s most stringent qualified security assessors (QSAs) and include PCI monitoring, scanning, as well as reporting and evidence creation capabilities that will save organizations as much as 30 to 50 percent on PCI compliance and auditing. Our PCI Calculator allows organizations to compare their current PCI compliance expenditures with other merchants of similar size, while also informing them on steps to reduce the costs of compliance.”

Download the PCI Calculator for yourself here, registration is required.

Like this:

Fraud against the UK as a whole increased by 75.5 per cent from Jan – Jun 2010 to Jan – Jun 2011 (£608.57m – £1068.93m)

Fraud against the private sector accounted for 48 per cent of all UK fraud (by number of incidents) and 25 per cent of the total value of UK fraud, sitting at £266m for this period. A rise of nearly a third.

The average value of a fraud against the private sector rose from £2.5m last year to £4.2m this year.

Pre-occupied with battling the on-going downturn, UK businesses* now also find themselves fighting more fraud than ever before – KPMG reveals today.

January to June 2011** saw UK fraud reach £1.1bn (from £609m during the same period of 2010) with almost half (in volume terms) hitting private sector. Such activity cost £266m – nearly a third more than the prior year.

While the greatest burden, by value and number of cases, of fraud has been borne by Government agencies, the private sector is also under intense attack.

In fact, the average case value of private sector fraud has jumped from £2.5m, January – June 2010, to £4.2m for the same period this year.

Hitesh Patel, UK forensic partner, KPMG, said: “The evolution of ecommerce, as well as increased reliance on automated payment systems and the ability of professional criminals to stay one step ahead, has swollen overall UK fraud figures.

“But, fraud levelled at UK businesses tears at the very fabric of the economy. Although it is just as prevalent in larger organisations, the small and medium sized companies are more likely to suffer dire consequences as a result. For SMEs fraud can often lead to significant cash flow problems resulting in redundancies – and at worst a fight for survival.”

This is illustrated by a Wirral business brought to its knees by the in-house accountant who stole nearly £170,000 and then bragged about his lavish lifestyle on the internet. This instance led to multiple job losses while he took luxury holidays.

“The impact of fraud can be long lasting, affecting the organisation’s growth and competitiveness. It may dampen customer and staff confidence, cause reputational damage and detract from simply running the business,” he added.

Over-crowding

The UK (albeit public or private sector) is now fighting multiple enemies. The majority of fraud is committed by professional criminals – with fraud perpetrated by criminal gangs rising 107 per cent in the first half of 2011.

Internal fraud committed by employees (of all levels of seniority) also did £225m worth of damage this year (up from £181m Jan – Jun 2010), with management fraud, averaging at £7.3m a case, and employee fraud around £708k.

“Operating in positions of trust and authority, helping them conceal their tracks with greater ease – the more senior the employee the more damage they can inflict when acting fraudulently,” Hitesh explained.

Focus on investors

Fraud against investors accounted for £263m – 25 per cent of all fraud in the first six months of 2011. In June four men were charged with fraud through land banking schemes which resulted in investors losing millions of pounds.

Hitesh said, “As investors search to get greater returns in a subdued economic climate, they are increasingly vulnerable to exotic and novel investment scams – which are rarely transparent or straightforward. Investors should do their research and be alert to opportunities that seem to offer returns significantly above the market rate – if an investment looks too good to be true, it probably is.”

Fight against fraud

With the introduction of the UK Bribery Act and the National Crime Agency it is clear the Government are taking the fight against fraud very seriously. Working collaboratively with Government, business are also strengthening their defences and taking a less reactive, more preventative stance.

“The culture and tone at the top are critical to stamping out internal fraud. In order to guard against professional criminals, and those operating outside the business, companies must fully assess where in their operations they are vulnerable. They should arm themselves with a set of controls that enable greater detection, such as whistle blowing lines and fraud risk reviews ,while thoroughly mining the wealth of data that sits within an organisation and if analysed would identify fraudulent activity,”

“This huge increase in the level of fraud hitting the private sector demonstrates the importance of ensuring that companies have mechanisms to prevent fraud and detect misconduct effectively.” Hitesh concluded.

* “UK business includes all commercial businesses and financial institutions

** This summer’s KPMG Fraud Barometer measures fraud cases in the UK from January 2011 to June 2011 (inclusively), and compares to the same six month period in 2010

Like this:

Symantec have released their June 2011 Intelligence Report. The Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011.

Report highlights

Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011)

Phishing – One in 330.6 emails identified as Phishing (a decrease of 0.05 percentage points since May 2011)

Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011)

35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011):

20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011)

Review of Spam-sending botnets in June 2011

Clicking to Watch Videos Leads to Pharmacy Spam

Wiki for Everything, Even for Spam

Phishers Return for Tax Returns

Fake Donations Continue to Haunt Japan

Spam Subject Line Analysis

Best Practices for Enterprises and Users

Spam Analysis

In June 2011, the global ratio of spam in email traffic decreased by 2.9% points since May 2011 to 72.9% (1 in 1.37 emails).

Country

May

April

Change %

United States

29%

31%

-2

India

5%

4%

1

Russia

5%

5%

Brazil

5%

5%

Netherlands

5%

5%

Taiwan

3%

4%

-1

South Korea

3%

3%

Uruguay

3%

3%

Ukraine

3%

2%

1

China

2%

3%

-1

As the global spam level declined in June 2011, Saudi Arabia became the most spammed geography, with a spam rate of 82.2%, overtaking Russia, which moved into second position.

In the US, 73.7% of email was spam and 72.0% in Canada. The spam level in the UK was 72.6%. In The Netherlands, spam accounted for 73.0% of email traffic, 71.8% inGermany, 71.9% in Denmark and 70.4% in Australia. In Hong Kong, 72.2% of email was blocked as spam and 71.2% in Singapore, compared with 69.2% in Japan. Spam accounted for 72.3% of email traffic in South Africa and 73.4% in Brazil.

Global Spam Categories

Spam Category Name

June 2011

Pharmaceutical

40%

Adult/Sex/Dating

19%

Watches/Jewelry

18%

Newsletters

12%

Casino/Gambling

7%

Unknown

3%

Degrees/Diplomas

2%

Weight Loss

1%

Phishing Analysis

In June, Phishing activity decreased by 0.06 percentage points since May 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack

Phishing Sources: Country

May

April

% change

United States

44%

55%

-11

Chile 15%

15%

unlisted N/A

Canada

5%

5%

Germany

5%

6%

-1

United Kingdom

4%

6%

-2

China 2%

2%

unlisted N/A

France

2%

3%

-1

Netherlands

2%

2%

Russia

1%

2%

-1

Australia

1%

3%

-2

South Africa remained the most targeted geography for Phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, phishing accounted for 1 in 130.2 emails. Phishing levels for the US were 1 in 1,270 and 1 in 207.7 for Canada. In Germany Phishing levels were 1 in 1,375, 1 in 2,043 in Denmark and 1 in 543.7 in The Netherlands. In Australia, Phishing activity accounted for 1 in 565.2 emails and 1 in 2,404 in Hong Kong; for Japan it was 1 in 11,179 and 1 in 2,456 for Singapore. In Brazil, 1 in 409.8 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by phishing activity in June, with 1 in 83.7 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 897.3 and 1 in 798.3 for the IT Services sector; 1 in 663.2 for Retail, 1 in 151.4 for Education and 1 in 160.8 for Finance.

Email-borne Threats

The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333%) in June, a decrease of 0.117 percentage points since May 2011.

The UK remained the geography with the highest ratio of malicious emails in June, as one in 131.9 emails was blocked as malicious in June.

In the US, virus levels for email-borne malware were 1 in 805.2 and 1 in 297.7 for Canada. In Germany virus activity reached 1 in 721.0, 1 in 1,310 in Denmark and in The Netherlands 1 in 390.3. In Australia, 1 in 374.5 emails were malicious and 1 in 666.5 in Hong Kong; for Japan it was 1 in 2,114, compared with 1 in 946.7 in Singapore. In South Africa, 1 in 280.9 emails and 1 in 278.9 emails in Brazil contained malicious content. With 1 in 73.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in June. Virus levels for the Chemical & Pharmaceutical sector were 1 in 509.4 and 1 in 513.8 for the IT Services sector; 1 in 532.8 for Retail, 1 in 130.4 for Education and 1 in 182.3 for Finance.

Malware Name

% Malware

Exploit/SuspLink-d1f2

4.85%

Link-Trojan.Generic.5483393-4cac

2.89%

W32/NewMalware!836b

2.41%

W32/NewMalware!0575

2.39%

Exploit/Link-FakeAdobeReader-8069

2.32%

Trojan.Bredolab!eml-1f08

1.97%

Exploit/LinkAliasPostcard-d361

1.52%

W32/Packed.Generic-7946

1.46%

W32/Bredolab.gen!eml

1.36%

Exploit/FakeAttach-844a

1.39%

Web-based Malware Threats

In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8% since May 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. The 70.8% rise marks a return to the highest rate since December 2010, as can be seen in the chart below; the rate had previously been diminishing during the first half of 2011.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 35.1% of all malicious domains blocked were new in June; a decrease of 1.7 percentage points compared with May 2011. Additionally, 20.3% of all Web-based malware blocked was new in June; a decrease of 4.3 percentage points since the previous month.

Endpoint Security Threats

The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.

36.8% of all malicious domains blocked were new in May (an increase of 3.8 percentage points since April 2011)

24.6% of all web-based malware blocked was new in May (an increase of 2.1 percentage points since April 2011)

For the First Time, Spammers establish their own fake URL-shortening services

Spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

“MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”

Symantec MessageLabs Email AntiVirus.cloud

The global ratio of email-borne viruses in email traffic was one in 222.3 emails (0.450%) in May, a decrease of 0.143 percentage points since April 2011.

In May, 30.0% of email-borne malware contained links to malicious Web sites, an increase of 16.9 percentage points since April 2011. A large number of emails containing variants of Bredolab related malware, accounted for 16.3% of all email-borne malware, compared with 55.1% in the previous month. These variants were commonly attached as ZIP files, rather than hyperlinks, and as the volume of these attacks diminishes, the proportion of attacks using hyperlinks increased.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May. A large number of variants of Bredolab malware continued to be observed in a number of countries during May, as highlighted in the table below.

In the US, virus levels for email-borne malware were 1 in 540.3 and 1 in 334.5 forCanada. In Germany virus activity reached 1 in 435.9, 1 in 1,197 in Denmarkan d in The Netherlands 1 in 330.1. In Australia, 1 in 513.5 emails were malicious and 1 in 377.2 in Hong Kong; for Japan it was 1 in 1,164, compared with 1 in 706.7 in Singapore. In South Africa, 1 in 178.7 emails and 1 in 378.3 emails in Brazil contained malicious content. With 1 in 28.9 emails being blocked as malicious, the Public Sector remained the most targeted industry in May. Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9 and 1 in 367.9 for the IT Services sector; 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Phishing Analysis

In May, Phishing activity decreased by 0.06 percentage points since April 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack.

South Africa remained the most targeted geography for Phishing emails in May, with 1 in 80.2 emails identified as Phishing attacks.South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, Phishing accounted for 1 in 100.1 emails. Phishing levels for the US were 1 in 1,227 and 1 in 239.2 forCanada. In Germany Phishing levels were 1 in 1,540, 1 in 2662 in Denmark and 1 in 780.9 in The Netherlands. In Australia, Phishing activity accounted for 1 in 1,022 emails and 1 in 2,235 in Hong Kong; for Japan it was 1 in 10,735 and 1 in 2,111 for Singapore. In Brazil, 1 in 589.5 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by Phishing activity in May, with 1 in 33.2 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 982.8 and 1 in 738.9 for the IT Services sector; 1 in 537.0 for Retail, 1 in 141.4 for Education and 1 in 267.0 for Finance.

Symantec MessageLabs Web Security.cloud

In May, MessageLabs Intelligence identified an average of 3,142 Web sites each day harboring malware and other potentially unwanted programs including Spyware and adware; an increase of 30.4% since April 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 36.8% of all malicious domains blocked were new in May; an increase of 3.8 percentage points compared with April 2011. Additionally, 24.6% of all Web-based malware blocked was new in May; an increase of 2.1 percentage points since the previous month.

Endpoint Protection

The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit3, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 14.0% of all malicious software blocked by endpoint protection technology in May.

Geographical Trends:

Russia became the most spammed in May with a spam rate of 82.2 percent.

In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.

In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.

In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.

In the US virus levels were 1 in 540.3 and 1 in 334.5 forCanada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.

In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 forHong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 forSingapore.

In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3

Vertical Trends:

In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.

Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.

In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.

Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Like this:

In Symantec’s Intelligence Report: June 2011 they produced a Best Practice Guidelines for Enterprises wishing to improve their IT Security.

The details of the Best Practice Guide are below.

1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network.

3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including:

Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints;

Consider cloud-based malware prevention to provide proactive protection against unknown threats; o File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware;

Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware;

Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;

Device control settings that prevent and limit the types of USB devices to be used.

4. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization.

5. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites.DLP should be configured to identify and block suspicious copying or downloading of sensitive data.DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like encryption can be used to reduce the risk of loss.

6. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.

7. Update your security countermeasures frequently and rapidly: With more than 286M variants of malware detected by Symantec in 2010, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day.

8. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.

9. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords.

10. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments.

11. Ensure that you have infection and incident response procedures in place:

Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems;

Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;

Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems;

Isolate infected computers to prevent the risk of further infection within the organization;

If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied;

Perform a forensic analysis on any infected computers and restore those using trusted media.

12. Educate users on the changed threat landscape:

Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;

Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;

Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;

Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;

Be suspicious of search engine results and only click through to trusted sources when conducting searches, especially on topics that are hot in the media;

Only download software (if allowed) from corporate shares or directly from the vendors Web site;

If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.

Like this:

The UK Information Commissioner’s Office can levy fines of up to £500,000 for data breaches, which proves data security is essential. And while it’s not illegal in the UK to lose data – regulators understand there is no 100% in security – you do need to demonstrate you’re managing information risks responsibly. Read this paper to get the key items you should cover to avoid the ICO’s wrath in 2011.

Like this:

Cisco Security Intelligence Operations’ (SIO) research has found that “Cybercriminal business models have recently shifted toward low volume targeted attacks. With email remaining the primary attack vector, these attacks are increasing in both their frequency and their financial impact on targeted organizations”.

Cisco SIO estimates that the Cybercriminal benefit resulting from traditional mass email based attacks has declined more than 50 percent, from US$1.1 billion in June 2010 to $500 million in June 2011 on an annualized basis.

This change reflects a reduction in spam volume from 300 billion to 40 billion spam messages daily from June 2010 to June 2011. This reduction is consistent with low continued user conversion rates and is partially offset by increases in the average user spending on conversions”.

This decline has been offset by a small subset of mass attacks: scams and malicious attacks, which make up about 0.2 percent of total mass attacks and have been providing greater cybercriminal benefit. By using more personalization tools, the user conversion rates for the better crafted scams and malicious attacks have increased significantly in the last year. In addition, the average user loss caused by the malware or scam employed has increased because of the information shared.

Cisco’s Attack Classifications

As Cybercriminal activity continues to evolve, the specific attacks and their impact to organizations also change.

Mass Attacks

Mass attacks have been the basis of threats since the first days of distributed networks. Self propagating worms, distributed denial of service (DDoS) attacks, and spam are some preferred methods for achieving financial gain or business disruption.

The criminal creates a common payload and places it in locations that victims might access, often inadvertently. Examples include infecting websites, exploiting security vulnerabilities in file formats such as PDFs, sending emails to make a purchase, and mass Phishing of banking credentials. Traditional anti-threat methods rely on several factors, including quickly identifying the threat when first reported or seen in the network and then blocking similar threats in the future. If criminals infiltrate the security layers far enough to reach their targets, they’ll achieve the desired result in sufficient quantities to make this business model lucrative. A significant segment of this type of attacks is the burgeoning number of scams and malicious attacks. As part of the evolution of the criminal ecosystem, these attacks are becoming highly focused. Regardless of the vector or delivery engine including short message service (SMS), email and social media, criminals are choosing their targets with greater care, using personalized information such as a user’s geographical location or job position. Examples of these scams include:

SMS financial fraud scams to specific locales

Email campaigns that use URL shortening services

Social media scams, where the criminal befriends a user or group of users for financial gain

When only a few threats are sent, these strategies may be effective in reaching the victims, but may not always prove cost effective to the criminals. Yet, for reaching high value victims, this approach is increasingly being leveraged by smart, organized, and profit driven criminals. When criminals are specific about their victim profiles, these threats are referred to as Spearphishing attacks.

Spearphishing attacks are aimed at a specific profile of users, often high ranking organizational users who have access to commercial bank accounts. Spearphishing attacks are typically well crafted; they use contextual information to make users believe they are interacting with legitimate content. The Spearphishing email may appear to relate to some specific item of personal importance or a relevant matter at the company for instance, discussing payroll discrepancies or a legal matter. According to Cisco SIO research, more than 80 percent of Spearphishing attacks contain links to websites with malicious content. Yet, the linked websites are often specially crafted and previously unseen, making them complex to detect.

Cybercriminal Benefit (US$ million)

1 Year Ago

Current

Spam Attacks

$1,000

$300

Scams and Malicious

$50

$200

Totals

$,050

$500

Targeted Attacks

Targeted attacks are highly customized threats directed at a specific user or group of users typically for intellectual property theft. These attacks are very low in volume and can be disguised by either known entities with unwitting compromised accounts or anonymity in specialized botnet distribution channels. Targeted attacks generally employ some form of malware and often use zero day exploits in order to gain initial entry to the system and to harvest desired data over a period of time. With these attacks, criminals often use multiple methods to reach the victim. Targeted attacks are difficult to protect against and have the potential to deliver the most potent negative impact to victims. While potentially similar in structure, the major differentiator of targeted attacks relative to Spearphishing attacks is the focus on the victim. A targeted attack is directed toward a specific user or group of users where as a Spearphishing attack is usually directed toward a group of people with a commonality, such as being customers of the same bank. Targeted attackers often build a dossier of sorts on intended victims gleaning information from social networks, press releases, and public company correspondence. While Spearphishing attacks may contain some personalized information, a targeted attack may contain a great deal of information which is highly personalized and generally of unique interest to the intended target.

A well publicized example of a targeted attack is the Stuxnet attack, a computer worm discovered in July 2010 which specifically targeted industrial software and equipment. Stuxnet exploited a vulnerability in the way that Windows handles shortcut files, allowing the worm to spread to new systems. The worm is believed to be purpose built to attack Supervisory Control and Data Acquisition (SCADA) systems, or those used to manage complex industrial networks, such as systems at power plants and chemical manufacturing facilities. Stuxnet’s cleverness is in its ability to traverse non-networked systems, which means that even systems unconnected to networks or the Internet are at risk. Operators believed that a default Siemens password (which had been made public on the web some years earlier) could not be corrected by vendors without causing significant difficulty for customers. The SCADA system operators might have been laboring under a false sense of security since their systems were not connected to the Public Internet, they might have believed they would not be prone to infection.

Federal News Radio’s website called Stuxnet “the smartest malware ever.” In January 2011, Cisco SIO detected a targeted attack message sent to senior executives at a large corporation. This campaign was sophisticated, in that it used previously unseen resources. The message was sent by an unknown party through a legitimate but compromised server in Australia. The email message was seemingly legitimate. The embedded action URL was hosted on a legitimate but compromised law blog. When clicked, the user’s browser was directed to a previously unknown copy of the Phoenix exploit kit. After the exploit was successful, it installed the Zeus Trojan on the victim’s computer.

Economics of Attacks

The economics of a typical campaign underscore the difference between mass and targeted attack business models.

For an individual campaign, the economics of a Spearphishing attack can be more compelling than for a mass attack. The costs are significantly higher, but so too are the yield and benefit. Cisco SIO estimates the costs of a Spearphishing attack at five times the cost of a mass attack, given the quality of the list acquisition, botnet leased, email generation tools, malware purchased, website created, campaign administration tools, order processing back-end infrastructure, fulfillment providers, and user background research activity required. This significantly higher cost basis and greater effort requires highly specialized skills. It also requires higher yields to be effective.

Cybercriminals are balancing competing priorities: Infect more users or keep the attack small enough to fly under security vendors’ radar? Spearphishing attack campaigns are limited in volume but offer higher user open and click through rates. With these constraints, Cybercriminals are increasingly focusing on business users with access to corporate banking accounts, to make sure they’re seeing sufficient return per infection. This is why the average value per victim can be 40 times that of a mass attack. Ultimately, this approach is justified:

“Profit from a single Spearphishing attack campaign can be more than 10 times that of a mass attack”

The potential returns are causing a shift in Cybercriminal business models. Presently, the opportunity cost of spamming may not be worth the rate of return due to increases in both anti-spam efficacy and user awareness. Instead, Cybercriminals are focusing more time and effort on different types of targeted attacks, often with the goal of gaining access to more lucrative corporate and personal bank accounts and valuable intellectual property.

To make their attacks more personalized, some Cybercriminals have focused on infiltrating email marketing vendors, since they have valid names, email addresses, and other attributes. When used in scams and malicious attacks, whether on a mass scale or in Spearphishing attacks this personal information increases the likelihood of users opening an attack email. The correlation of lower mass spam with recent data breaches is interesting, but the real takeaway is that attacks are becoming more personalized.

Impact of Personalized Attacks

Spearphishing attacks, though lower in volume relative to other types of threats, have serious consequences for today’s enterprises. The majority of Spearphishing attacks ultimately lead to financial loss, making them incredibly dangerous to victims and incredibly valuable to Cybercriminals. Spearphishing uses customization methods superior than those used in mass scams and malicious attacks, resulting in significantly higher user open and conversion rates. These success factors have made Spearphishing attack infections more effective, and hence more commonplace, which is corroborated by Federal Trade Commission estimates of 9 million Americans having their identities stolen each year.

The value per victim in Spearphishing attacks can vary substantially, with the mean and median values being quite high. For example, according to primary consumer research conducted by Javelin Strategy & Research, the mean identity fraud amount per victim was $4,607 in 2010. If we use a conservative estimate of user loss, $400, the total Cybercriminal benefit resulting from Spearphishing attacks amounts to $150 million in June 2010 on an annualized basis. This figure has tripled from $50 million a year ago; it is expected to continue increasing in the coming months as Cybercriminal activity returns to its prior business levels.

Impact of Targeted Attacks

The malicious nature of targeted attacks causes them to be very expensive to society in general and to individual organizations specifically. The cybercriminal benefit from a targeted attack, while substantial, is not easy to estimate because it is highly variable, based on the specific victim and intellectual property compromised. However, the cybercriminal benefit is a subset of the overall cost to the victim organization, which also depends heavily on the organization’s reputation and status. The organizational costs resulting from targeted attacks can vary. According to the FBI, these costs can range from thousands to hundreds of millions USD.

Similarly, the Ponemon Institute has estimated the potential cost per organizational data breach to range anywhere from US$1 million to US$58 million. As an example, a large gaming platform provider reported that the unauthorized access to its network that occurred in Q2 of 2011 has resulted in currently known associated costs of approximately US$172 million. Costs include personal information theft protection programs, insurance to cover identity theft losses, costs of “welcome back” programs, customer support costs, network security enhancement costs, legal and expert costs, and the impact on profits due to possible future revenue decreases.

In another example, a public payments processor company experienced a data breach resulting in millions of compromised user account credentials. A year later, the company reported related expenses totaling US$105 million. As per their 10-QSEC filing, “The majority of these charges, or approximately $90.8 million, related to:

assessments imposed by MasterCard and VISA against us and our sponsor banks

settlement offers we made to certain card brands in an attempt to resolve certain of the claims asserted against our sponsor banks (who have asserted rights to indemnification from us pursuant to our agreements with them)

expected costs of settling with certain claimants with whom settlement discussions are underway

During the same timeframe from the intrusion to the 10-Q results, the company lost 30% of its value relative to the Standard and Poor’s 500 Index, or roughly $300 million in shareholder value. Ultimately, the corporate reputation is tarnished at a cost more significant than the costs of the monetary loss and remediation combined.

Overall Impact of Attacks

It’s clear that the shift in Cybercriminal business models has provided an interim benefit from lower threat activity. Organizations are only partially able to appreciate the reduction in Cybercriminal activity, though, as their costs can encompass far more than financial loss. To estimate these total losses, Cisco SIO conducted primary research with 361 organizations located globally to understand their perspectives.

The organizational impacts of attacks can be categorized as follows:

Financial

Remediation

Reputation

Financial: Financial loss directly to the Cybercriminals can range widely based on the specific attack; as a result, organizations cannot estimate the loss.

Remediation: The remediation costs of Spearphishing and targeted attacks are incurred by victim organizations. The administrative team must identify and remediate the compromised hosts; this can be challenging given the increasing use of surreptitious applications. Because of the complexity of current targeted attacks and the underlying malware, costs for remediation can be significant. Remediation costs include the time required to address the infected host and the corresponding opportunity cost of that time. With the organizations surveyed, Cisco observed that infected hosts take an average of two hours of dedicated effort to resolve. The cost basis of two hours of effort per resolution is specific to each organization, as is the corresponding opportunity cost of that time. Based on Cisco SIO research, organizations estimated that the direct remediation cost per infected user is $640, or 2.1 times that of the direct monetary loss.

Reputation: The negative reputation impact of attacks can be experienced over time by victim organizations and users. For example, building a brand typically takes years, but a negative event or news story, especially one that is highly visible, can quickly tarnish a company’s image. The direct impact can be a significant decline in business, sometimes even leading to the organization’s demise. Determining the true costs of adverse reputation impact can be challenging, as is estimating the value of an organization’s brand. Nevertheless, organizations have made it clear that adverse events can impact their reputation, which in turn can create a significant decline in business and shareholder value. Based on Cisco SIO research, organizations estimated that the reputation cost per infected user is $1,900, or 6.4 times that of the direct monetary loss.

Combined Impact: The overall costs of Spearphishing and targeted attacks to organizations are substantially more than their direct monetary loss to Cybercriminals.

While the costs can vary widely depending on the specific organization and attack, one point is clear: The overall costs to organizations can be significant. In addition, reputation management and remediation efforts can create a strain on the organization.

Cisco’s Conclusion to its research

The increased number of low volume targeted attacks has impacted users in many organizations, regardless of industry, geography and size. Their prevalence has caused both a related increase in criminal financial benefit and impact on victimized organizations. Organizations have to bear the burden of not only the monetary loss but also the cost of remediating infected hosts and the negative impact on their brand reputation. With the number of targeted attacks expected to increase, Cybercriminal activity will continue to evolve, as will its impact.

Like this:

On the 30th June Reuters Published a very interesting interview with Jeremy Burton the Chief Marketing Officer of RSA/EMC. The interview as published by Reuters is below.

Reuters 30/6/11 Data storage firm EMC has a good idea of who was behind an attack on its RSA security division that may have compromised SecurID keys used by 40 million employees of governments and corporations worldwide.

But Chief Marketing Officer Jeremy Burton said on Thursday the identity of the hacker or hackers was less important than what measures companies could take to defend against such attacks, and declined to name the suspected party.

“We’ve got an idea although we can’t pin it on Joe Brown from such and such. We’ve got a very good idea because of the nature of the attack but actually that’s not even that important,” he told Reuters in an interview in London.

RSA disclosed in March that hackers had stolen information that could be used to reduce the effectiveness of SecurID tokens in keeping intruders from accessing corporate networks.

It has said it believes the attackers were more interested in intellectual property than in financial gain.

SecurIDs are widely used electronic keys to computer systems designed to thwart hackers by requiring two passcodes: one fixed PIN and another six-digit number that is automatically generated, typically every 60 seconds, by the security system.

Burton reiterated that EMC was working hard to rebuild the trust of its customers in the RSA brand. “Basically, since March, we’ve been doing nothing but doing one on one sessions.”

“Where we’re at right now with our customer base is making sure that the guys who have asked for token replacement get one in a timely fashion and we’ve ramped up the manufacturing to be able to cope with that,” he said.

RSA’s reputation took a second hit after the initial disclosure of the breach in March last when hackers used technology stolen from RSA to attack defence contractor Lockheed Martin last month.

EMC has since offered to replace millions of potentially compromised SecurID electronic keys.

Burton said the company intended to ramp production of RSA tokens into the millions per month from a baseline rate of a few hundred thousand. He could not predict for how many months the increased production might continue.

EMC said last quarter its RSA margins had fallen to 54.1 percent from 67.6 percent a year earlier for costs associated with the security breach.

“If there are more costs and we need to take another charge in the name of customer satisfaction, we will,”Burton said.

EMC’s chief financial offer said in April that growth in the RSA business would slow in the short term.

RSA is small in terms of EMC’s revenue, last year accounting for $730 million (454 million pounds), or 4 percent, of its $17 billion in sales.

Yet it is a high-profile asset whose technology EMC has used to secure the company’s other products, including its software and data storage equipment.

Companies that sell alternatives to RSA’s SecurIDs, such as Symantec and Vasco Data Security International, have leapt on the opportunity to win customers.

Burton said he was not aware of any other customers beyond Lockheed Martin who had suffered cyber attacks as a result of the RSA security breach.